From 38407f49b3c936c55802e32a2fbd4f0931dfd8cd Mon Sep 17 00:00:00 2001
From: ken <2979602290@qq.com>
Date: Mon, 15 Dec 2025 10:26:55 +0800
Subject: [PATCH 1/6] fix:Resolve potential security issues in the project
---
hugegraph-server/hugegraph-core/pom.xml | 4 ++--
.../apache/hugegraph/util/CompressUtil.java | 19 ++++++++++++++++---
.../apache/hugegraph/util/StringEncoding.java | 2 +-
hugegraph-struct/pom.xml | 4 ++--
.../apache/hugegraph/util/StringEncoding.java | 2 +-
5 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/hugegraph-server/hugegraph-core/pom.xml b/hugegraph-server/hugegraph-core/pom.xml
index 0b12f8b25f..c337a1a5e8 100644
--- a/hugegraph-server/hugegraph-core/pom.xml
+++ b/hugegraph-server/hugegraph-core/pom.xml
@@ -32,7 +32,7 @@
1.3.11
0.7.4
5.12.1
- 1.8.0
+ 1.9.0
1.10.0
2.6.2
portable-1.8.3
@@ -198,7 +198,7 @@
${commons-compress.version}
- org.lz4
+ at.yawk.lz4
lz4-java
${lz4.version}
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java
index 0d41a70959..f62a634c9f 100644
--- a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java
+++ b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java
@@ -173,6 +173,21 @@ private static Path zipSlipProtect(ArchiveEntry entry, Path targetDir)
return normalizePath;
}
+ private static Path zipSlipProtect(ZipEntry entry, Path targetDir)
+ throws IOException {
+ Path targetDirResolved = targetDir.resolve(entry.getName());
+ /*
+ * Make sure normalized file still has targetDir as its prefix,
+ * else throws exception
+ */
+ Path normalizePath = targetDirResolved.normalize();
+ if (!normalizePath.startsWith(targetDir.normalize())) {
+ throw new IOException(String.format("Bad entry: %s",
+ entry.getName()));
+ }
+ return normalizePath;
+ }
+
public static void compressZip(String inputDir, String outputFile,
Checksum checksum) throws IOException {
String rootDir = Paths.get(inputDir).toAbsolutePath().getParent().toString();
@@ -220,9 +235,7 @@ public static void decompressZip(String sourceFile, String outputDir,
ZipInputStream zis = new ZipInputStream(bis)) {
ZipEntry entry;
while ((entry = zis.getNextEntry()) != null) {
- String fileName = entry.getName();
- File entryFile = new File(Paths.get(outputDir, fileName)
- .toString());
+ File entryFile = new File(zipSlipProtect(entry, Paths.get(outputDir)).toString());
FileUtils.forceMkdir(entryFile.getParentFile());
try (FileOutputStream fos = new FileOutputStream(entryFile);
BufferedOutputStream bos = new BufferedOutputStream(fos)) {
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
index c8d831c9cc..38fbefa712 100644
--- a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
+++ b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
@@ -140,7 +140,7 @@ public static String decompress(byte[] value, float bufferRatio) {
}
public static String hashPassword(String password) {
- return BCrypt.hashpw(password, BCrypt.gensalt(4));
+ return BCrypt.hashpw(password, BCrypt.gensalt(12));
}
public static boolean checkPassword(String candidatePassword, String dbPassword) {
diff --git a/hugegraph-struct/pom.xml b/hugegraph-struct/pom.xml
index 62ad58ee94..0b0c7a7a11 100644
--- a/hugegraph-struct/pom.xml
+++ b/hugegraph-struct/pom.xml
@@ -109,9 +109,9 @@
8.1.0
- org.lz4
+ at.yawk.lz4
lz4-java
- 1.7.1
+ 1.9.0
org.apache.commons
diff --git a/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java b/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
index 7e9ab6d8f3..18ef5eca23 100644
--- a/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
+++ b/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
@@ -165,7 +165,7 @@ public static String decompress(byte[] value, float bufferRatio) {
}
public static String hashPassword(String password) {
- return BCrypt.hashpw(password, BCrypt.gensalt(4));
+ return BCrypt.hashpw(password, BCrypt.gensalt(12));
}
public static boolean checkPassword(String candidatePassword,
From 3aee822c0c571c01ed686243b5c38bb1fe8822d5 Mon Sep 17 00:00:00 2001
From: ken <2979602290@qq.com>
Date: Tue, 16 Dec 2025 08:58:28 +0800
Subject: [PATCH 2/6] fix:bug fixes and code optimizations
---
hugegraph-server/hugegraph-core/pom.xml | 4 +-
.../apache/hugegraph/util/CompressUtil.java | 25 +--
hugegraph-struct/pom.xml | 4 +-
install-dist/release-docs/LICENSE | 1 +
.../licenses/LICENSE-lz4-java-1.8.1.txt | 202 ++++++++++++++++++
.../scripts/dependency/known-dependencies.txt | 3 +-
6 files changed, 213 insertions(+), 26 deletions(-)
create mode 100644 install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.1.txt
diff --git a/hugegraph-server/hugegraph-core/pom.xml b/hugegraph-server/hugegraph-core/pom.xml
index c337a1a5e8..d9c65d1231 100644
--- a/hugegraph-server/hugegraph-core/pom.xml
+++ b/hugegraph-server/hugegraph-core/pom.xml
@@ -32,7 +32,7 @@
1.3.11
0.7.4
5.12.1
- 1.9.0
+ 1.8.1
1.10.0
2.6.2
portable-1.8.3
@@ -198,7 +198,7 @@
${commons-compress.version}
- at.yawk.lz4
+ org.lz4
lz4-java
${lz4.version}
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java
index f62a634c9f..e4dea9bd2f 100644
--- a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java
+++ b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java
@@ -139,7 +139,7 @@ public static void decompressTar(String sourceFile, String outputDir,
ArchiveEntry entry;
while ((entry = tis.getNextEntry()) != null) {
// Create a new path, zip slip validate
- Path newPath = zipSlipProtect(entry, target);
+ Path newPath = zipSlipProtect(entry.getName(), target);
if (entry.isDirectory()) {
Files.createDirectories(newPath);
} else {
@@ -158,9 +158,9 @@ public static void decompressTar(String sourceFile, String outputDir,
}
}
- private static Path zipSlipProtect(ArchiveEntry entry, Path targetDir)
+ private static Path zipSlipProtect(String fileName, Path targetDir)
throws IOException {
- Path targetDirResolved = targetDir.resolve(entry.getName());
+ Path targetDirResolved = targetDir.resolve(fileName);
/*
* Make sure normalized file still has targetDir as its prefix,
* else throws exception
@@ -168,22 +168,7 @@ private static Path zipSlipProtect(ArchiveEntry entry, Path targetDir)
Path normalizePath = targetDirResolved.normalize();
if (!normalizePath.startsWith(targetDir.normalize())) {
throw new IOException(String.format("Bad entry: %s",
- entry.getName()));
- }
- return normalizePath;
- }
-
- private static Path zipSlipProtect(ZipEntry entry, Path targetDir)
- throws IOException {
- Path targetDirResolved = targetDir.resolve(entry.getName());
- /*
- * Make sure normalized file still has targetDir as its prefix,
- * else throws exception
- */
- Path normalizePath = targetDirResolved.normalize();
- if (!normalizePath.startsWith(targetDir.normalize())) {
- throw new IOException(String.format("Bad entry: %s",
- entry.getName()));
+ fileName));
}
return normalizePath;
}
@@ -235,7 +220,7 @@ public static void decompressZip(String sourceFile, String outputDir,
ZipInputStream zis = new ZipInputStream(bis)) {
ZipEntry entry;
while ((entry = zis.getNextEntry()) != null) {
- File entryFile = new File(zipSlipProtect(entry, Paths.get(outputDir)).toString());
+ File entryFile = new File(zipSlipProtect(entry.getName(), Paths.get(outputDir)).toString());
FileUtils.forceMkdir(entryFile.getParentFile());
try (FileOutputStream fos = new FileOutputStream(entryFile);
BufferedOutputStream bos = new BufferedOutputStream(fos)) {
diff --git a/hugegraph-struct/pom.xml b/hugegraph-struct/pom.xml
index 0b0c7a7a11..f3c18761e2 100644
--- a/hugegraph-struct/pom.xml
+++ b/hugegraph-struct/pom.xml
@@ -109,9 +109,9 @@
8.1.0
- at.yawk.lz4
+ org.lz4
lz4-java
- 1.9.0
+ 1.8.1
org.apache.commons
diff --git a/install-dist/release-docs/LICENSE b/install-dist/release-docs/LICENSE
index 031afefca7..cd538713bb 100644
--- a/install-dist/release-docs/LICENSE
+++ b/install-dist/release-docs/LICENSE
@@ -651,6 +651,7 @@ The text of each license is also included in licenses/LICENSE-[project].txt.
https://central.sonatype.com/artifact/org.lz4/lz4-java/1.4.0 -> Apache 2.0
https://central.sonatype.com/artifact/org.lz4/lz4-java/1.7.1 -> Apache 2.0
https://central.sonatype.com/artifact/org.lz4/lz4-java/1.8.0 -> Apache 2.0
+ https://central.sonatype.com/artifact/org.lz4/lz4-java/1.8.1 -> Apache 2.0
https://central.sonatype.com/artifact/org.nlpcn/nlp-lang/1.7.7 -> Apache 2.0
https://central.sonatype.com/artifact/org.objenesis/objenesis/2.6 -> Apache 2.0
https://central.sonatype.com/artifact/org.objenesis/objenesis/3.2 -> Apache 2.0
diff --git a/install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.1.txt b/install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.1.txt
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.1.txt
@@ -0,0 +1,202 @@
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/install-dist/scripts/dependency/known-dependencies.txt b/install-dist/scripts/dependency/known-dependencies.txt
index dda176954c..e6e0b03f10 100644
--- a/install-dist/scripts/dependency/known-dependencies.txt
+++ b/install-dist/scripts/dependency/known-dependencies.txt
@@ -389,8 +389,7 @@ lucene-sandbox-4.7.2.jar
lucene-sandbox-5.2.1.jar
lucene-suggest-5.2.1.jar
lz4-java-1.4.0.jar
-lz4-java-1.7.1.jar
-lz4-java-1.8.0.jar
+lz4-java-1.8.1.jar
metrics-annotation-4.2.4.jar
metrics-core-3.0.2.jar
metrics-core-3.1.5.jar
From 897d43121d23386eff1a962413b4cfaeb767a4ea Mon Sep 17 00:00:00 2001
From: ken <2979602290@qq.com>
Date: Tue, 16 Dec 2025 16:35:08 +0800
Subject: [PATCH 3/6] fix:bug fixes and code optimizations
---
hugegraph-server/hugegraph-core/pom.xml | 2 +
.../unit/util/StringEncodingTest.java | 16 ++
hugegraph-struct/pom.xml | 2 +
.../licenses/LICENSE-lz4-java-1.7.1.txt | 202 ------------------
.../licenses/LICENSE-lz4-java-1.8.0.txt | 202 ------------------
5 files changed, 20 insertions(+), 404 deletions(-)
delete mode 100644 install-dist/release-docs/licenses/LICENSE-lz4-java-1.7.1.txt
delete mode 100644 install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.0.txt
diff --git a/hugegraph-server/hugegraph-core/pom.xml b/hugegraph-server/hugegraph-core/pom.xml
index d9c65d1231..2334496329 100644
--- a/hugegraph-server/hugegraph-core/pom.xml
+++ b/hugegraph-server/hugegraph-core/pom.xml
@@ -197,6 +197,8 @@
commons-compress
${commons-compress.version}
+
org.lz4
lz4-java
diff --git a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
index 2d579c1dc4..caaac57f5a 100644
--- a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
+++ b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
@@ -23,6 +23,7 @@
import org.apache.hugegraph.util.Bytes;
import org.apache.hugegraph.util.StringEncoding;
import org.junit.Test;
+import org.mindrot.jbcrypt.BCrypt;
public class StringEncodingTest {
@@ -180,4 +181,19 @@ public void testReadAsciiString() {
buf = Bytes.fromHex("80");
Assert.assertEquals("", StringEncoding.readAsciiString(buf, 0));
}
+
+ @Test
+ public void testCheckPasswordSupportsOldAndNewCost() {
+ // oldWorkFactor
+ String oldPassword = BCrypt.hashpw("123456", BCrypt.gensalt(4));
+ // newWorkFactor
+ String newPassword = BCrypt.hashpw("123456", BCrypt.gensalt(12));
+
+ Assert.assertTrue(StringEncoding.checkPassword("123456", oldPassword));
+ Assert.assertTrue(StringEncoding.checkPassword("123456", newPassword));
+
+ // 反向校验,确保不接受错误口令
+ Assert.assertFalse(StringEncoding.checkPassword("bad-pass", oldPassword));
+ Assert.assertFalse(StringEncoding.checkPassword("bad-pass", newPassword));
+ }
}
diff --git a/hugegraph-struct/pom.xml b/hugegraph-struct/pom.xml
index f3c18761e2..b88d0ae204 100644
--- a/hugegraph-struct/pom.xml
+++ b/hugegraph-struct/pom.xml
@@ -108,6 +108,8 @@
fastutil
8.1.0
+
org.lz4
lz4-java
diff --git a/install-dist/release-docs/licenses/LICENSE-lz4-java-1.7.1.txt b/install-dist/release-docs/licenses/LICENSE-lz4-java-1.7.1.txt
deleted file mode 100644
index d645695673..0000000000
--- a/install-dist/release-docs/licenses/LICENSE-lz4-java-1.7.1.txt
+++ /dev/null
@@ -1,202 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- APPENDIX: How to apply the Apache License to your work.
-
- To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "[]"
- replaced with your own identifying information. (Don't include
- the brackets!) The text should be enclosed in the appropriate
- comment syntax for the file format. We also recommend that a
- file or class name and description of purpose be included on the
- same "printed page" as the copyright notice for easier
- identification within third-party archives.
-
- Copyright [yyyy] [name of copyright owner]
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.0.txt b/install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.0.txt
deleted file mode 100644
index d645695673..0000000000
--- a/install-dist/release-docs/licenses/LICENSE-lz4-java-1.8.0.txt
+++ /dev/null
@@ -1,202 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- APPENDIX: How to apply the Apache License to your work.
-
- To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "[]"
- replaced with your own identifying information. (Don't include
- the brackets!) The text should be enclosed in the appropriate
- comment syntax for the file format. We also recommend that a
- file or class name and description of purpose be included on the
- same "printed page" as the copyright notice for easier
- identification within third-party archives.
-
- Copyright [yyyy] [name of copyright owner]
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
From 85586c781fad4faab577dba5a49fd0648fdcd1bf Mon Sep 17 00:00:00 2001
From: ken <2979602290@qq.com>
Date: Wed, 17 Dec 2025 17:10:28 +0800
Subject: [PATCH 4/6] fix:bug fixes and code optimizations
---
.../src/main/java/org/apache/hugegraph/util/StringEncoding.java | 1 +
.../java/org/apache/hugegraph/unit/util/StringEncodingTest.java | 1 -
.../src/main/java/org/apache/hugegraph/util/StringEncoding.java | 1 +
3 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
index 38fbefa712..550fd44dcc 100644
--- a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
+++ b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
@@ -140,6 +140,7 @@ public static String decompress(byte[] value, float bufferRatio) {
}
public static String hashPassword(String password) {
+ // OWASP suggest 10 as minimum and 12-14 as production default
return BCrypt.hashpw(password, BCrypt.gensalt(12));
}
diff --git a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
index caaac57f5a..4c7ddd315e 100644
--- a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
+++ b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
@@ -192,7 +192,6 @@ public void testCheckPasswordSupportsOldAndNewCost() {
Assert.assertTrue(StringEncoding.checkPassword("123456", oldPassword));
Assert.assertTrue(StringEncoding.checkPassword("123456", newPassword));
- // 反向校验,确保不接受错误口令
Assert.assertFalse(StringEncoding.checkPassword("bad-pass", oldPassword));
Assert.assertFalse(StringEncoding.checkPassword("bad-pass", newPassword));
}
diff --git a/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java b/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
index 18ef5eca23..175985538a 100644
--- a/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
+++ b/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
@@ -165,6 +165,7 @@ public static String decompress(byte[] value, float bufferRatio) {
}
public static String hashPassword(String password) {
+ // OWASP suggest 10 as minimum and 12-14 as production default
return BCrypt.hashpw(password, BCrypt.gensalt(12));
}
From ff0565a6b113065cd7a8c77efb916aa0ff9a1930 Mon Sep 17 00:00:00 2001
From: ken <2979602290@qq.com>
Date: Thu, 18 Dec 2025 11:29:17 +0800
Subject: [PATCH 5/6] fix:bug fixes and code optimizations
---
.../hugegraph/auth/StandardAuthManager.java | 1 +
.../hugegraph/auth/StandardAuthManagerV2.java | 1 +
.../apache/hugegraph/util/CompressUtil.java | 24 ++++++++++++++-----
.../apache/hugegraph/util/StringEncoding.java | 5 ++--
.../unit/util/StringEncodingTest.java | 21 +++++++++-------
.../apache/hugegraph/util/StringEncoding.java | 5 ++--
6 files changed, 39 insertions(+), 18 deletions(-)
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/auth/StandardAuthManager.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/auth/StandardAuthManager.java
index 67931a0450..a3224811f3 100644
--- a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/auth/StandardAuthManager.java
+++ b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/auth/StandardAuthManager.java
@@ -580,6 +580,7 @@ public HugeUser matchUser(String name, String password) {
}
if (StringEncoding.checkPassword(password, user.password())) {
+ // TODO: rehash password if bcrypt work factor is lower than expected
this.pwdCache.update(user.id(), password);
return user;
}
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/auth/StandardAuthManagerV2.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/auth/StandardAuthManagerV2.java
index 5dcbc9378a..d2df45626c 100644
--- a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/auth/StandardAuthManagerV2.java
+++ b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/auth/StandardAuthManagerV2.java
@@ -947,6 +947,7 @@ public HugeUser matchUser(String name, String password) {
}
if (StringEncoding.checkPassword(password, user.password())) {
+ // TODO: rehash password if bcrypt work factor is lower than expected
this.pwdCache.update(user.id(), password);
return user;
}
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java
index e4dea9bd2f..38175dea2c 100644
--- a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java
+++ b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java
@@ -139,7 +139,7 @@ public static void decompressTar(String sourceFile, String outputDir,
ArchiveEntry entry;
while ((entry = tis.getNextEntry()) != null) {
// Create a new path, zip slip validate
- Path newPath = zipSlipProtect(entry.getName(), target);
+ Path newPath = zipSlipProtect(entry, target);
if (entry.isDirectory()) {
Files.createDirectories(newPath);
} else {
@@ -158,17 +158,28 @@ public static void decompressTar(String sourceFile, String outputDir,
}
}
- private static Path zipSlipProtect(String fileName, Path targetDir)
+ private static Path zipSlipProtect(ArchiveEntry entry, Path targetDir)
throws IOException {
- Path targetDirResolved = targetDir.resolve(fileName);
+ return zipSlipProtect(entry.getName(), targetDir);
+ }
+
+ private static Path zipSlipProtect(ZipEntry entry, Path targetDir)
+ throws IOException {
+ return zipSlipProtect(entry.getName(), targetDir);
+ }
+
+ private static Path zipSlipProtect(String entryName, Path targetDir)
+ throws IOException {
+
+ Path targetDirResolved = targetDir.resolve(entryName);
+
/*
* Make sure normalized file still has targetDir as its prefix,
* else throws exception
*/
Path normalizePath = targetDirResolved.normalize();
if (!normalizePath.startsWith(targetDir.normalize())) {
- throw new IOException(String.format("Bad entry: %s",
- fileName));
+ throw new IOException(String.format("Bad entry: %s", entryName));
}
return normalizePath;
}
@@ -220,7 +231,8 @@ public static void decompressZip(String sourceFile, String outputDir,
ZipInputStream zis = new ZipInputStream(bis)) {
ZipEntry entry;
while ((entry = zis.getNextEntry()) != null) {
- File entryFile = new File(zipSlipProtect(entry.getName(), Paths.get(outputDir)).toString());
+ Path entryPath = zipSlipProtect(entry, Paths.get(outputDir));
+ File entryFile = new File(entryPath.toString());
FileUtils.forceMkdir(entryFile.getParentFile());
try (FileOutputStream fos = new FileOutputStream(entryFile);
BufferedOutputStream bos = new BufferedOutputStream(fos)) {
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
index 550fd44dcc..d6bf2c3a86 100644
--- a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
+++ b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
@@ -140,8 +140,9 @@ public static String decompress(byte[] value, float bufferRatio) {
}
public static String hashPassword(String password) {
- // OWASP suggest 10 as minimum and 12-14 as production default
- return BCrypt.hashpw(password, BCrypt.gensalt(12));
+ // OWASP suggests 10 as a minimum and 12–14 for production;
+ // workFactor 12 is not used by default due to its 200+ ms cost.
+ return BCrypt.hashpw(password, BCrypt.gensalt(10));
}
public static boolean checkPassword(String candidatePassword, String dbPassword) {
diff --git a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
index 4c7ddd315e..69e7d3ae7b 100644
--- a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
+++ b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
@@ -184,15 +184,20 @@ public void testReadAsciiString() {
@Test
public void testCheckPasswordSupportsOldAndNewCost() {
- // oldWorkFactor
- String oldPassword = BCrypt.hashpw("123456", BCrypt.gensalt(4));
- // newWorkFactor
- String newPassword = BCrypt.hashpw("123456", BCrypt.gensalt(12));
+ String testPassword = "test123!@#";
- Assert.assertTrue(StringEncoding.checkPassword("123456", oldPassword));
- Assert.assertTrue(StringEncoding.checkPassword("123456", newPassword));
+ // Test old work factor (4)
+ String oldPassword = BCrypt.hashpw(testPassword, BCrypt.gensalt(4));
+ Assert.assertTrue(StringEncoding.checkPassword(testPassword, oldPassword));
+ Assert.assertFalse(StringEncoding.checkPassword("wrong", oldPassword));
- Assert.assertFalse(StringEncoding.checkPassword("bad-pass", oldPassword));
- Assert.assertFalse(StringEncoding.checkPassword("bad-pass", newPassword));
+ // Test new work factor (10)
+ String newPassword = BCrypt.hashpw(testPassword, BCrypt.gensalt(10));
+ Assert.assertTrue(StringEncoding.checkPassword(testPassword, newPassword));
+ Assert.assertFalse(StringEncoding.checkPassword("wrong", newPassword));
+
+ // Test that hashPassword uses the new cost factor
+ String hashedPassword = StringEncoding.hashPassword(testPassword);
+ Assert.assertTrue(StringEncoding.checkPassword(testPassword, hashedPassword));
}
}
diff --git a/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java b/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
index 175985538a..f82b2229b1 100644
--- a/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
+++ b/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
@@ -165,8 +165,9 @@ public static String decompress(byte[] value, float bufferRatio) {
}
public static String hashPassword(String password) {
- // OWASP suggest 10 as minimum and 12-14 as production default
- return BCrypt.hashpw(password, BCrypt.gensalt(12));
+ // OWASP suggests 10 as a minimum and 12–14 for production;
+ // workFactor 12 is not used by default due to its 200+ ms cost.
+ return BCrypt.hashpw(password, BCrypt.gensalt(10));
}
public static boolean checkPassword(String candidatePassword,
From 03f2dc6d474037053e4ea81a035443172690cc3c Mon Sep 17 00:00:00 2001
From: ken <2979602290@qq.com>
Date: Thu, 18 Dec 2025 13:54:12 +0800
Subject: [PATCH 6/6] fix:bug fixes and code optimizations
---
.../apache/hugegraph/util/StringEncoding.java | 3 ++-
.../unit/util/StringEncodingTest.java | 20 ++++++++++++++++++-
.../apache/hugegraph/util/StringEncoding.java | 4 +++-
install-dist/release-docs/LICENSE | 2 --
4 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
index d6bf2c3a86..7b10738580 100644
--- a/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
+++ b/hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/StringEncoding.java
@@ -36,6 +36,7 @@ public final class StringEncoding {
private static final byte[] BYTES_EMPTY = new byte[0];
private static final String STRING_EMPTY = "";
private static final int BLOCK_SIZE = 4096;
+ private static final int BCRYPT_WORK_FACTOR = 10;
static {
final String ALG = "SHA-256";
@@ -142,7 +143,7 @@ public static String decompress(byte[] value, float bufferRatio) {
public static String hashPassword(String password) {
// OWASP suggests 10 as a minimum and 12–14 for production;
// workFactor 12 is not used by default due to its 200+ ms cost.
- return BCrypt.hashpw(password, BCrypt.gensalt(10));
+ return BCrypt.hashpw(password, BCrypt.gensalt(BCRYPT_WORK_FACTOR));
}
public static boolean checkPassword(String candidatePassword, String dbPassword) {
diff --git a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
index 69e7d3ae7b..39d18802b9 100644
--- a/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
+++ b/hugegraph-server/hugegraph-test/src/main/java/org/apache/hugegraph/unit/util/StringEncodingTest.java
@@ -198,6 +198,24 @@ public void testCheckPasswordSupportsOldAndNewCost() {
// Test that hashPassword uses the new cost factor
String hashedPassword = StringEncoding.hashPassword(testPassword);
- Assert.assertTrue(StringEncoding.checkPassword(testPassword, hashedPassword));
+ Assert.assertTrue("Hash should contain work factor 10",
+ hashedPassword.matches("^\\$2[aby]\\$10\\$.*")
+ );
+
+ // Compare computational cost between work factor 4 and 10
+ long start4 = System.nanoTime();
+ StringEncoding.checkPassword(testPassword, oldPassword);
+ long elapsed4 = System.nanoTime() - start4;
+
+ long start10 = System.nanoTime();
+ StringEncoding.checkPassword(testPassword, hashedPassword);
+ long elapsed10 = System.nanoTime() - start10;
+
+ // BCrypt cost difference: (10-4) = 6 => theoretical ~2^6 = 64x
+ Assert.assertTrue(
+ "Work factor 10 should be significantly slower than work factor 4 " +
+ "(expected exponential cost increase)",
+ elapsed10 >= elapsed4 * 32
+ );
}
}
diff --git a/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java b/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
index f82b2229b1..f4690d430d 100644
--- a/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
+++ b/hugegraph-struct/src/main/java/org/apache/hugegraph/util/StringEncoding.java
@@ -56,6 +56,8 @@ public final class StringEncoding {
private static final byte[] BYTES_EMPTY = new byte[0];
private static final int BLOCK_SIZE = 4096;
+ private static final int BCRYPT_WORK_FACTOR = 10;
+
static {
final String ALG = "SHA-256";
try {
@@ -167,7 +169,7 @@ public static String decompress(byte[] value, float bufferRatio) {
public static String hashPassword(String password) {
// OWASP suggests 10 as a minimum and 12–14 for production;
// workFactor 12 is not used by default due to its 200+ ms cost.
- return BCrypt.hashpw(password, BCrypt.gensalt(10));
+ return BCrypt.hashpw(password, BCrypt.gensalt(BCRYPT_WORK_FACTOR));
}
public static boolean checkPassword(String candidatePassword,
diff --git a/install-dist/release-docs/LICENSE b/install-dist/release-docs/LICENSE
index cd538713bb..9a1afd7663 100644
--- a/install-dist/release-docs/LICENSE
+++ b/install-dist/release-docs/LICENSE
@@ -649,8 +649,6 @@ The text of each license is also included in licenses/LICENSE-[project].txt.
https://central.sonatype.com/artifact/org.lionsoul/jcseg-core/2.2.0 -> Apache 2.0
https://central.sonatype.com/artifact/org.lionsoul/jcseg-core/2.6.2 -> Apache 2.0
https://central.sonatype.com/artifact/org.lz4/lz4-java/1.4.0 -> Apache 2.0
- https://central.sonatype.com/artifact/org.lz4/lz4-java/1.7.1 -> Apache 2.0
- https://central.sonatype.com/artifact/org.lz4/lz4-java/1.8.0 -> Apache 2.0
https://central.sonatype.com/artifact/org.lz4/lz4-java/1.8.1 -> Apache 2.0
https://central.sonatype.com/artifact/org.nlpcn/nlp-lang/1.7.7 -> Apache 2.0
https://central.sonatype.com/artifact/org.objenesis/objenesis/2.6 -> Apache 2.0